mirror of
https://github.com/curl/curl.git
synced 2026-05-22 05:26:20 +03:00
7541ae569d
cert_type, key, key_type, key_passwd and key_blob lived in ssl_config_data but not in ssl_primary_config, so they were invisible to match_ssl_primary_config() and to the TLS session cache peer key. Two easy handles sharing a connection pool could reuse each other's authenticated connections when they differed only on SSLKEY, SSLKEYTYPE, KEYPASSWD, SSLCERTTYPE or SSLKEYBLOB. The second handle would silently inherit the first handle's authenticated identity. Promote all five fields into ssl_primary_config so the conn-reuse predicate and session cache key cover the complete client credential set. Also replace the fixed ":CCERT" session cache marker with the actual clientcert path so sessions are not shared across different client certificates. Verified by test 3303 and 3304 Reported-By: Joshua Rogers (AISLE Research) Closes #21667
20 lines
286 B
XML
20 lines
286 B
XML
<?xml version="1.0" encoding="US-ASCII"?>
|
|
<testcase>
|
|
<info>
|
|
<keywords>
|
|
unittest
|
|
TLS
|
|
mTLS
|
|
</keywords>
|
|
</info>
|
|
|
|
# Client-side
|
|
<client>
|
|
<features>
|
|
unittest
|
|
</features>
|
|
<name>
|
|
TLS session cache peer key discriminates on mTLS key, key_type and cert_type fields
|
|
</name>
|
|
</client>
|
|
</testcase>
|